Service Organization Controls Reports in My Software (as a Service) Vendor Audit

Under today´s fierce market conditions, companies pursue a strategy of focusing resources on key competencies in order to gain, sustain, and grow a competitive position. What is true for the entirety of the market applies to the pharmaceutical industry as well. Therefore, pharmaceutical companies set their focus on the main purpose for being in business - simply speaking "drug making". As a consequence, functional areas not considered a core competency are sourced out into models spanning a wide variety of flavors.

Outsourcing of IT-related services is a classic example of such an area. It has been around for quite a while and initially started with basic commodity offerings. Nowadays, however, "the cloud" is in everybody´s mouth and entire, configurable software applications can be bought and totally operated off-premise. Moreover, even software solution vendors leverage the described principle and buy external IT-operations services as needed - in support of internal processes as well as to create "as a service" offerings themselves.

Within the area of regulated software applications, the accountability to ensure a system´s fit-for-purpose and operations within specifications stays with the pharmaceutical company - regardless of chosen delivery model. Nonetheless, auditors are confronted with a variety of the aforementioned "division of labor" models. Within the described context, it is not uncommon that auditees provide the auditor with so-called SOC1 or SOC2 reports as a proof of documented evidence - may it be for the software vendor itself or from another used 3rd party, which is mostly a datacenter.

This presentation shall give a heads-up to the described scenario and will share thoughts on these reports in the context of a software (as a service) vendor audit from a GxP-regulated, pharmaceutical industry perspective. How can the contents be used to facilitate an audit and would you like to use these reports as documented evidence itself - and for what? What aspects do they typically cover and who issues them? What does it mean if the report is self-compiled and testified by a third party? What conclusions could be drawn from the time period covered?

The presenter will share some anonymized facts encountered including personal thoughts around this topic with the intent to create sensitivity, facilitate preparedness and launch individual thought processes in support of your audit activities.

Additional Info

  • Date(s): 14–Apr–2015
  • Event/Context: SQA 2015 31st Annual Meeting and Quality College
  • Location(s): Tampa, FL, U.S.A.
Read 3270 times